Tuesday, 27 September 2016

php - What way is the best way to hash a password?





I'm working on a website that should be very safe for the users, so I need the hash the passwords. Usually I'm using the MD5, but I read that it doesn't safe anymore. So I tried PHPass, but then I read that it also has been cracked. So I tried password_hash() of PHP 5.5, but I use HostGator, and the PHP there is 5.4. Also I want to be able to add salt without knowing it (like time() * userid()), like in the password_hash().



The hash strength is very important to me because I want to be 100% sure that my users are safe. So is there a way that very safe and not something like SHA that will be hacked soon?


Answer



Use this library which provides forward compatibility with the password_* functions.



Example usage :



require_once("password.php"); // imports the library, assuming it's in the same directory as the current script


$password = "HelloStackOverflow"; // example password

$hash = password_hash($password, PASSWORD_BCRYPT); // here's the hash of the previous password

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); // you can set the "complexity" of the hashing algorithm, it uses more CPU power but it'll be harder to crack, even though the default is already good enough

if (password_verify($password, $hash)) { // checking if a password is valid
/* Valid */
} else {
/* Invalid */

}

No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...